[Samba] idmap rid finds deleted groups for some users

Jon Gerdes gerdesj at blueloop.net
Fri Jun 16 12:39:03 UTC 2017 

Sorry, please ignore my previous - I fixed it using a method I thought
I'd already tried:

systemctl stop smbd nmbd winbindd
rm winbindd_* from /var/lib/samba/ (leaving the "wb priv" dir alone)
rm * from /var/cache/samba/
systemctl start smbd nmbd winbindd

id now works fine.

Cheers
Jon




On Fri, 2017-06-16 at 11:51 +0000, Jon Gerdes via samba wrote:
> All
> 
> I am using the following config on a PC with Samba 4.6.5 (Arch),
> joined
> to a 2012 R2 domain/forest.
> 
> idmap config * : backend = tdb
> idmap config * : range   = 1000000-1999999
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range   = 10000 - 19999
> 
> # id <username>
> 
> returns a list of groups fine for most users but for some, it
> includes
> deleted groups and misses groups that have been recently added.
> 
> If I create a new user and a few groups, I can add and remove
> memberships fine and by flushing the cache as required, id works
> fine. 
> For one particular user at least there are several extra entries
> returned by id.  Deleted groups show a gid but no name.  A recently
> added group does not appear in the list.
> 
> These all work correctly:
> # net ads user info <user> -U <me> -S dc2
> # net rpc user info <user> -U <me> -S dc2
> 
> I have rebooted all DCs (Winupdates 8), restarted my PC, flushed
> caches, deleted tdb files, run LDP and ADSI edit to see if there are
> any funny attributes on the user object, cleared all deleted objects
> in
> AD via Powershell.
> 
> Running with "log level = 0 winbind:10 idmap:10" shows the "ghost"
> SIDs
> failing to be looked up but doesn't seem to show me how the SIDs were
> found in the first place to cause a lookup.
> 
> I've run:
> 
> C:\> wmic group get domain,name,sid (gets you a list of all groups in
> the domain and their SIDs)
> 
> and looked for the offending RIDs but they are not there.
> 
> I'm not sure what I can try next.  If anyone could tell me how idmap
> rid finds a list of SIDs for groups belonging to a user that might
> send
> me down the right path.
> 
> I've just checked a pair of 4.5.x Sambas and they work OK.  I've read
> all the bugs that I could find in Bugzilla but none look appropriate.
> 
> Cheers
> Jon

More information about the samba mailing list